doubt reg. TLS and GSSAPI

Rahul Amaram rahul at synovel.com
Fri Apr 18 10:56:47 EDT 2008


Hi Etan,
Thanks for the reply.

I am aware of what you have already mentioned. Like I already said, I 
have visited that thread where in it is clearly mentioned that for 
pidgin version >= 2.4.0 if the Connect Server is specified (and yes I 
have given hostname and not IP address), then that would be considered 
instead of domain for GSSAPI authentication. But I wonder why in my case 
it is checking against domain. I think I'll get back to this and test 
again later as there are a few other pending tasks currently.

Thanks for the support once again. And yeah, Pidgin rocks !!! :).

Regards,
Rahul.

Etan Reisner wrote:
> On Sat, Apr 12, 2008 at 03:45:47PM +0530, Rahul Amaram wrote:
>   
>> Hi Etan,
>> Thanks for the reply. I am not sure why you have felt that I have not
>> tried pidgin (I feel it must have been evident from my mail that I tried
>> pidgin). To be frank, I have been trying for about 4 days now to set up
>> pidgin + jabberd2 with GSSAPI authentication and TLS and have not
>> succeeded yet :).
>>     
>
> Then I apologize for my mistake. Generally, at least in my experience,
> when one comments on having "doubts" that indicates a lack of real
> knowledge (and thus indicates no personal testing).
>
>   
>> Anyway, here is what I observed. As already mentioned, my set up is
>> something similar as below:
>>
>> Domain name: company.com
>> Connect Server: jabber.example.com (192.168.36.100)
>> Connect Port: 5222
>>     
>
> You actually have 'jabber.example.com' in the Connect Server box and not
> the IP address, right? They should both work they just are handled
> internally by pidgin differently later on.
>
>   
>> Initially company.com is not resolvable.
>>     # ping company.com
>>     ping: unknown host company.com
>>
>> Now when, I connect using non-GSSAPI authentication, it works. But when
>> I try using GSSAPI I get the error
>>     GSSAPI Error: An invalid name was supplied (Unknown code krb5 216)
>>
>> Next I modified /etc/hosts and gave the below mapping to "company.com".
>>     192.168.36.1 company.com
>>
>> Now I observed that when I run pidgin, it was trying to fetch ticket for
>> the principal xmpp/company.com (knew this by observing the kdc logs).
>>     
>
> This is why I asked about what exactly is in the Connect Server box above,
> pidgin 2.4.1 *should* be using the Connect Server if the Connect Server is
> a hostname and not an IP address.
>
>   
>> Now finally I modified the entry in /etc/hosts as below.
>>     192.168.36.100 jabber.example.com company.com
>>
>> And now when I ran pidgin, it properly got the ticket for
>> xmpp/jabber.example.com.
>>
>> Also when I ran ping company.com it gave me the below response (as
>> expected because of the above entry in /etc/hosts).
>>     # ping company.com
>>     PING jabber.example.com (192.168.36.100) 56(84) bytes of data.
>>     64 bytes from jabber.example.com (192.168.36.100): icmp_seq=1
>> ttl=64 time=4.43 ms
>>
>> All this has made me to conclude that pidgin is working by resolving the
>> domain name "company.com" first and then doing a reverse look-up. But
>> this is quite contrary to the behaviour mentioned in
>> http://developer.pidgin.im/ticket/5008.
>>     
>
> pidgin does resolve the Domain, but it shouldn't be doing that when a
> Connect Server is specified.
>
>   
>> Therefore I am wondering if the above thread holds good for only
>> hostnames got through DNS SRV entires and not for the hostname used in
>> "Connect Server" field.
>>
>> Apart from this, I would also like to know if there is any way I can
>> study the certificates which pidgin receives when establishing
>> connection to the jabber server. I have been studying the messages in
>> the Debug window but couldn't find any useful information there. I have
>> also seen that no certificates are saved in
>> ~/.purple/certificates/x509/tls_peers/ (I think older versions of pidgin
>> used to save the certificates here).
>>     
>
> Depending on what you want to see about the certificates and assuming your
> server has the old-ssl port (5223) open you can use "openssl s_client
> -host jabber.example.com -port 5223" to force an ssl connection at which
> point openssl will dump the cert data out at you.
>
>   
>> I am running piding on debian etch. The version is 2.4.1 compiled from
>> the source. The source compilation command being:
>>     # ./configure --prefix=/opt/pidgin --enable-cyrus-sasl
>> --enable-gnutls=yes
>> And I am using openfire as GSSAPI support seems to be bad in jabberd2.
>>
>> And lastly, are there any other xmpp clients apart from pidgin you are
>> aware of which are known to have implemented GSSAPI properly?
>>     
>
> No, sorry.
>
>   
>> Any help would be appreciated !
>>
>>
>> Thanks and Regards,
>> Rahul.
>>     
> <snip>
>
> Sorry it took so long to reply.
>
>     -Etan
>   



More information about the Support mailing list